Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Tuesday, February 13, 2007

TSA has outsourced the TSA Traveler Identity Verification Program?

Feb 20 2007 Update: TSA took the site down, and has put it back up again. They've fixed a few of the problems, but the website is still outsourced, and still uses cookies (a violation of federal policy). See more here

"The TSA Traveler Identity Verification Program is designed to assist those airline passengers who have been delayed or prevented from traveling as a result of TSA's security measures."

The site is specifically aimed at passengers who have suffered from any of the following problems:

* Unable to print Boarding Pass at Kiosk/Home* Directed to Ticket Counter every time I fly.* Ticket Agent states that I am on a Federal Government Watch List* Missed flight while attempting to obtain boarding pass

You can submit a handy-dandy form online to register your request/complaint.

Two things immediately jump out at me.

1. You are required to enter sensitive information from three of the following forms of identification:

These are very sensitive bits of info. A drivers licence number in particular, is often used by banks (due to Patriot Act provisions) to authenticate you when you open an account.

Worst of all - the form you submit doesn't go over an SSL connection! It goes plaintext over the wire. Heaven forbid you do this from an airport starbucks after being denied boarding, as anyone could sniff your info.

The relevant bit of code in question: form method=POST action=/pivf.htm

Now, they do at least have a ssl webserver running at https://rms.desyne.com/. But they're using a self-signed cert.

Update: I want to make it clear. I've only tested this by pressing submit on an empty form, and by viewing the source code to the form. To tell for sure, I'd have to submit a request to TSA - with bogus data.. and my now finely tuned "will TSA investigate me for this" radar tells me that submitting false information to an official government request form is a bad bad idea.

I searched the source for the words "https" - nothing.I also found the 'form method' section, where it describes how the form is submitted.It's quite possible that the creators of the website have created some kind of url-rewriting javascript sneaky tricks - although Occam's Razor leads me to believe that a simple mistake on a web designer's part is far more likely....

2. Unlike the rest of the TSA website, this is served from a different domain: http://rms.desyne.com/

This may be surprising to hear: I am an employee at a major airline and I just recieved an e-mail that said we now have access to the TSA no-fly list, selectee list, and cleared list. I just accessed it and found it to contain thousands of names, DOB, SSN#s, drivers licesense #'s, military ID #'s, addresses, and even home phone #'s. The TSA just made this list and all of this information readily available to thousands of employees at my airline (and probably others). I think that previously this list was only available to ticket agents, but now it is available to every employee. I find it quite disturbing that any airline employee has access to this information, and that many of the ppl on the cleared list have to give up there SSN# and other information.

Regarding HTTPS and "It's quite possible that the creators of the website have created some kind of url-rewriting javascript sneaky tricks", you could use Fiddler to watch the actual HTTP request when the form is submitted to see whether they're doing that (without having to examine any javascript they use on the page); see fiddlertool.com.

DESYNE is a very corrupt and dishonest organization run by a man with a criminal record for fraud and internet charges. to have this rogue group linked to anything TSA or government related is a crime...

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.